/*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2017 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey)
{
ECDSA_SIG *s;
- RAND_seed(dgst, dlen);
+
s = ECDSA_do_sign_ex(dgst, dlen, kinv, r, eckey);
if (s == NULL) {
*siglen = 0;
EC_POINT *tmp_point = NULL;
const EC_GROUP *group;
int ret = 0;
+ int order_bits;
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) {
ECerr(EC_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER);
goto err;
}
+ /* Preallocate space */
+ order_bits = BN_num_bits(order);
+ if (!BN_set_bit(k, order_bits)
+ || !BN_set_bit(r, order_bits)
+ || !BN_set_bit(X, order_bits))
+ goto err;
+
do {
/* get random k */
do
goto err;
}
} else {
- if (!BN_rand_range(k, order)) {
+ if (!BN_priv_rand_range(k, order)) {
ECerr(EC_F_ECDSA_SIGN_SETUP,
EC_R_RANDOM_NUMBER_GENERATION_FAILED);
goto err;
/*
* We do not want timing information to leak the length of k, so we
* compute G*k using an equivalent scalar of fixed bit-length.
+ *
+ * We unconditionally perform both of these additions to prevent a
+ * small timing information leakage. We then choose the sum that is
+ * one bit longer than the order. This guarantees the code
+ * path used in the constant time implementations elsewhere.
+ *
+ * TODO: revisit the BN_copy aiming for a memory access agnostic
+ * conditional copy.
*/
-
- if (!BN_add(k, k, order))
+ if (!BN_add(r, k, order)
+ || !BN_add(X, r, order)
+ || !BN_copy(k, BN_num_bits(r) > order_bits ? r : X))
goto err;
- if (BN_num_bits(k) <= BN_num_bits(order))
- if (!BN_add(k, k, order))
- goto err;
/* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
BN_CTX_free(ctx);
EC_POINT_free(tmp_point);
BN_clear_free(X);
- return (ret);
+ return ret;
}
int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);
return NULL;
}
+ ret->r = BN_new();
+ ret->s = BN_new();
+ if (ret->r == NULL || ret->s == NULL) {
+ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
s = ret->s;
if ((ctx = BN_CTX_new()) == NULL ||
s = ECDSA_SIG_new();
if (s == NULL)
- return (ret);
+ return ret;
if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL)
goto err;
/* Ensure signature uses DER and doesn't have trailing garbage */
err:
OPENSSL_clear_free(der, derlen);
ECDSA_SIG_free(s);
- return (ret);
+ return ret;
}
int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,